from penetrate and patch to building security in
play

From Penetrate and Patch to Building Security In Michael Hicks - PowerPoint PPT Presentation

Apr 03, 2023 •147 likes •898 views

From Penetrate and Patch to Building Security In Michael Hicks Professor of Computer Science and the UofM Institute for Advanced Computer Studies (UMIACS) Distinguished Scholar-Teacher talk September 28, 2015 Security breaches Just a few:

  1. From Penetrate and Patch to Building Security In Michael Hicks Professor of Computer Science and the UofM Institute for Advanced Computer Studies (UMIACS) Distinguished Scholar-Teacher talk September 28, 2015

  2. Security breaches Just a few: • TJX (2007) - 94 million records* • Adobe (2013) - 150 million records, 38 million users • eBay (2014) - 145 million records • Anthem (2014) - Records of 80 million customers • Target (2013) - 110 million records • Heartland (2008) - 160 million records *containing SSNs, credit card nums, other private info https://www.oneid.com/7-biggest-security-breaches-of-the-past-decade-2/

  3. Defects and Vulnerabilities • Many (if not all of) these breaches begin by exploiting a vulnerability • This is a security-relevant software defect (bug) or design flaw that can be exploited to effect an undesired behavior • The use of software is growing 50M LOC 2B LOC • So: more bugs and flaws • Especially in places that are new to using software … …

  4. Stuxnet specifically targets … processes such as those used to control … centrifuges for separating nuclear material . Exploiting four zero-day flaws, Stuxnet functions by targeting machines using the Microsoft Windows operating system …, then seeking out Siemens Step7 software. http://www.nytimes.com/ 2010/09/26/world/middleeast/ 26iran.html

  5. The result of their work was a hacking technique —what the security industry calls a zero-day exploit—that can target Jeep Cherokees and give the attacker wireless control , via the Internet, to any of thousands of vehicles. http://www.wired.com/2015/07/ hackers-remotely-kill-jeep- highway/

  6. Considering Correctness • All software is buggy , isn’t it? Why not a problem from way back? • A normal user never sees most bugs , or figures out how to work around them • Therefore, companies fix the most likely bugs , to save money

  7. Considering Security Key difference: An attacker is not a normal user! • The attacker will actively attempt to find defects , using unusual interactions and features • A typical interaction with a bug results in a crash • An attacker will work to exploit the bug to do much worse , to achieve his goals

  8. Cyber-defense?

  9. Cyber-defense? Popular technologies such as firewalls , anti- virus , and intrusion detection/prevention , attempt to detect the attacks themselves. But new attacks can be produced that avoid detection but exploit the same vulnerabilities

  10. Penetrate and Patch 1. Find a vulnerability 2. Develop patch 3. Deploy patch (and detection signature) But : Still vulnerable to undiscovered bugs … and new bugs introduced by software upgrades

  11. and bugs in security products themselves! Security researcher Tavis Ormandy disclosed the existence of a vulnerability which impacts on Kaspersky [security] products . Hermansen, [another researcher,] publicly disclosed a zero-day vulnerability within cyberforensics firm FireEye's security product , complete with proof-of-concept code. http://www.zdnet.com/article/ fireeye-kaspersky-hit-with-zero- day-flaw-claims/

  12. Building Security In The long-term solution is to prevent all exploitable bugs before deploying Avoid the holes to start with!

  13. Analogy • How do you build a bridge that stands up despite harsh conditions? • Heavy use • Earthquakes • Extreme weather • Etc.

  14. Analogy • Study the problem. Develop the best Methods • Materials • Tools • • Then use them from Day 1!

  15. Analogy • Study the problem. Develop the best Methods • Materials • Tools • • Then use them from Day 1!

  16. Do not • Use methods that fail to incorporate larger lessons (i.e., from past bridges built and past failures) • Use cheap materials that are unresilient • Use unreliable tools that produce inconsistent results • Assume that you can do these things and everything will be OK (you can just patch problems later )

  17. Unless you want your bridge to fail

  18. Building Security In • What about software?

  19. Building Security In • What about software? Same idea: Security from Day 1 • Consider it in your design • Use the best tools and methods • Best programming languages • Best program development environment • Best testing and verification methods

  20. Building Security In Why not done already? • Ignorance • Unproven/insufficient technology • Concerns about cost • to change legacy programs • to (re)train staff in new process, technology, etc.

  21. Some of my work • Eliminating vulnerabilities at the outset with better languages and testing tools • Highlight: Cyclone : A safer “low level” programming language • Focusing attention on building, not breaking • Coursera on-line course on software security • Build-it, Break-it, Fix-it programming contest IT BUILD BREAK FIX

  22. From bugs to exploits

  23. Software Processor • Software consists of (CPU) instructions that tell a computer what to do • A program is a set of instructions to achieve a particular task • Instructions are kept Memory Data and within the computer’s (RAM) Instructions memory when executed by the processor

  24. Computing R = X Y • Goal: multiply X by itself a total of Y times • Program: R will contain the final result • Use a counter C to track of the number of multiplications • Like counting on your fingers!

  25. Computing R = X Y Instructions Data Set R to 1 X = 3 Set C to Y Is C ≤ 0 ? 2 Y = If so, skip to the end Set R to X · R C = Set C to C - 1 If C > 0 repeat the above two instructions R =

  26. Computing R = X Y Instructions Data Set R to 1 X = 3 Set C to Y Is C ≤ 0 ? 2 Y = If so, skip to the end Set R to X · R C = 2 Set C to C - 1 If C > 0 repeat the above two instructions R = 1

  27. Computing R = X Y Instructions Data Set R to 1 X = 3 Set C to Y Is C ≤ 0 ? 2 Y = If so, skip to the end Set R to X · R C = 1 2 Set C to C - 1 If C > 0 repeat the above two instructions R = 1 3

  28. Computing R = X Y Instructions Data Set R to 1 X = 3 Set C to Y Is C ≤ 0 ? 2 Y = If so, skip to the end Set R to X · R C = 1 0 2 Set C to C - 1 If C > 0 repeat the above two instructions R = 3 1 9 Done

  29. Computing R = X Y exp: movl $1, %eax Set R to 1 testl %esi, %esi Set C to Y jle .L3 Is C ≤ 0 ? .L6: If so, skip to the end imull %edi, %eax subl $1, %esi Set R to X · R jne .L6 Set C to C - 1 .L3: If C > 0 repeat the above two instructions machine instructions %edi = contains base value X %esi = contains exponent Y and counter C %eax = contains result R

  30. Programming Languages • Many machine instructions for simple programs - hard for humans to understand and maintain! • Programming languages designed to help • Higher level - Closer to human language • First ones (e.g., FORTRAN) in the 1950’s • Programs are translated (aka compiled ) into machine instructions to be executed by the processor • Many languages developed in the last 60 years! • Different languages have different strengths

  31. Programming Languages

  32. Programming Languages

  33. Programming Languages

  34. What is popular today? http://spectrum.ieee.org/static/interactive-the-top-programming-languages

  35. Our program in the C language int exp(int x, int y) { int r = 1; while (y > 0) { r = r * x; y = y - 1; } return r; } In Java it would look much the same, but that’s not true in general

  36. Our program in the Python language def exp(x, y): r = 1 while y > 0: r = r * x y = y - 1 return r

  37. Our program in the OCaml language let rec exp x y = if y = 0 then 1 else x * exp x (y-1)

  38. Our program in the Prolog language exp(X,0,1) :- !. exp(X,Y,R) :- Y1 is Y-1, exp(X,Y1,R1), R is X * R1.

  39. Software flaws and defects • Programmers make mistakes • So software often has defects (aka bugs ) int exp(int x, int y) { int r = 1; while (y ≥ 0) { r = r * x; should be “greater than” y = y - 1; not “greater than or equal to” } return r; }

  40. Exploitable bugs • Some bugs can be exploited • An attacker can control how the program runs so that any incorrect behavior serves the attacker • Many kinds of exploits have been developed over time, with technical names like Buffer overflow • • Use after free • SQL injection • Command injection • Cross-site scripting • Cross-site request forgery • …

  41. What is a buffer overflow? • A buffer overflow is a dangerous bug that affects programs written in C and C++ • Normally , a program with this bug will simply crash • But an attacker can alter the situations that cause the program to do much worse • Steal private information • Corrupt valuable information • Run code of the attacker’s choice

  42. Buffer overflows from 10,000 ft • Buffer = • Block of memory associated with a variable • Overflow = • Put more into the buffer than it can hold • Where does the overflowing data go?

  43. Normal interaction Password? abc123 Instructions Failed 1. print “Password?” to the screen Data 2. read input into variable X X 3. if X matches the password then log in abc123 X = 4. else print “Failed” to the screen

Recommend

UP and Security: Penetrate-and-patch Overview of UMLsec (aka banana strategy): Jan

UP and Security: Penetrate-and-patch Overview of UMLsec (aka banana strategy): Jan

2 Software Engineering & Security UP and Security: Penetrate-and-patch Overview of UMLsec (aka banana strategy): Jan Jrjens insecure Competence Center for IT Security disruptive Software & Systems Engineering

219 views • 7 slides
0-Day Patch Exposing vendors (in)security performance BlackHat Europe 2008 Amsterdam Stefan

0-Day Patch Exposing vendors (in)security performance BlackHat Europe 2008 Amsterdam Stefan

BLACKHAT Europe 2008 0-Day Patch 0-Day Patch Exposing vendors (in)security performance BlackHat Europe 2008 Amsterdam Stefan Frei + Bernhard Tellenbach Communication Systems Group ETH Zurich Switzerland http://www.csg.ethz.ch

414 views • 17 slides
How to install Patch Manager Plus at AWS Steps to install Patch Manager Plus at AWS 1. Login to

How to install Patch Manager Plus at AWS Steps to install Patch Manager Plus at AWS 1. Login to

How to install Patch Manager Plus at AWS Steps to install Patch Manager Plus at AWS 1. Login to Aws console 2. Select launch instance 3. Select your OS 4. Choose instance type 5. Select VPC 6. Add storage 7. Tag your instance 8. Configure security

185 views • 14 slides
An Analysis of Patch Plausibility and Correctness of

An Analysis of Patch Plausibility and Correctness of

An Analysis of Patch Plausibility and Correctness of Generate-And- Validate Patch Genera8on System Zichao Qi , Fan Long, Sara Achour, and Mar8n Rinard MIT

323 views • 29 slides
BUILDING CAPACITY FOR SECURITY RESILIENCE Building CapaCity FOR SeCuRity ReSilienCe INTRODUCTION

BUILDING CAPACITY FOR SECURITY RESILIENCE Building CapaCity FOR SeCuRity ReSilienCe INTRODUCTION

BUILDING CAPACITY FOR SECURITY RESILIENCE Building CapaCity FOR SeCuRity ReSilienCe INTRODUCTION Mr. S pea k e r , wish to dedicate this sectoral presentation to the hardworking, devoted and uncompromising I members of Jamaicas security

478 views • 21 slides
La Larg rge-Scal Scale Patch Patch Reco comme mmendati ation at at Alibab aba Xindong

La Larg rge-Scal Scale Patch Patch Reco comme mmendati ation at at Alibab aba Xindong

La Larg rge-Scal Scale Patch Patch Reco comme mmendati ation at at Alibab aba Xindong Zhang 1 , Chenguang Zhu 2 , Yi Li 3 , Jianmei Guo 1 , Lihua Liu 1 , and Haobo Gu 1 1. Alibaba Group 2. University of Texas at Austin 3. Nanyang

462 views • 7 slides
Security Enhanced Linux Thanks to David Quigley History SELinux Timeline 1985: LOCK (early Type

Security Enhanced Linux Thanks to David Quigley History SELinux Timeline 1985: LOCK (early Type

Security Enhanced Linux Thanks to David Quigley History SELinux Timeline 1985: LOCK (early Type Enforcement) 1990: DTMach / DTOS 1995: Utah Fluke / Flask 1999: 2.2 Linux Kernel (patch) 2000: 2001: 2.4 Linux Kernel (patch) 2002: LSM 2003:

764 views • 43 slides
Non-Inferiority Assessment of Patch Adhesion Non-Inferiority Assessment of Patch Adhesion and and

Non-Inferiority Assessment of Patch Adhesion Non-Inferiority Assessment of Patch Adhesion and and

5/21/2015 Non-Inferiority Assessment of Patch Adhesion Non-Inferiority Assessment of Patch Adhesion and and Dermatology Irritation of Post-Market Dermatology Irritation Evaluation Change and Generic Drug Evaluation Presented by Mark Liu,

529 views • 22 slides
General-Purpose Image Forensics Using Patch Likelihood under Image Statistical Models The 7th

General-Purpose Image Forensics Using Patch Likelihood under Image Statistical Models The 7th

General-Purpose Image Forensics Using Patch Likelihood under Image Statistical Models The 7th IEEE International Workshop on Information Forensics and Security Wei Fan, Kai Wang, and Franc ois Cayre GIPSA-lab, Grenoble, France 18-11-2015

513 views • 19 slides
Concepts Drive Change AUSA v7, 4 OCT 2018 Compete Penetrate Dis-Integrate Exploit Re-Compete

Concepts Drive Change AUSA v7, 4 OCT 2018 Compete Penetrate Dis-Integrate Exploit Re-Compete

Concepts Drive Change AUSA v7, 4 OCT 2018 Compete Penetrate Dis-Integrate Exploit Re-Compete 1 Threats Layer Stand - off Combined Arms Armies employ organic long-, mid-, and short-range systems to create operational and tactical

372 views • 9 slides
Garbage Patch What is it and why is it occuring? -600,000 Square Miles (twice the size of Texas)

Garbage Patch What is it and why is it occuring? -600,000 Square Miles (twice the size of Texas)

Great Pacific Garbage Patch What is it and why is it occuring? -600,000 Square Miles (twice the size of Texas) -1.8 Trillion pieces of microplastic (not biodegradable) -88,000 Tons -Comprised of the Western Garbage Patch (near Japan) and

388 views • 6 slides
Collaborative Project Call ID FP7-SST-2008-RTD-1 Proposal N 233969 Acronym:

Collaborative Project Call ID FP7-SST-2008-RTD-1 Proposal N 233969 Acronym:

COMPOSITE MPOSITE PATCH PATCH REPAIR REPAIR CO OF METALLIC MARINE STRUCTURES OF METALLIC MARINE STRUCTURES Collaborative Project Call ID FP7-SST-2008-RTD-1 Proposal N 233969 Acronym: "Co-Patch www.co-patch.com Duration: 36

663 views • 21 slides
DIY Patch Management F L O R I A N J U N G E ( @ S H A N T YC O D E ) I N G O B E N T E ( @

DIY Patch Management F L O R I A N J U N G E ( @ S H A N T YC O D E ) I N G O B E N T E ( @

DIY Patch Management F L O R I A N J U N G E ( @ S H A N T YC O D E ) I N G O B E N T E ( @ I N G O B E N T E ) B S I D E S M U N I C H 2 0 1 8 Patching Isnt that solved? Nope, its not. R E M E M B E R T H O S E R A N S O M

635 views • 48 slides
Building a Culture of Security Agenda What is a Culture of Security? Regulatory

Building a Culture of Security Agenda What is a Culture of Security? Regulatory

Building a Culture of Security Agenda What is a Culture of Security? Regulatory Requirements Cyber Hygiene How to Develop a Culture of Security What is a Culture of Security A set of values, shared by everyone in an

350 views • 11 slides
PATCH PLANER EX Series UNIVERSAL CUTTER ES Series by Chris Goebel 11/2012 PATCH PLANER EX

PATCH PLANER EX Series UNIVERSAL CUTTER ES Series by Chris Goebel 11/2012 PATCH PLANER EX

PATCH PLANER EX Series UNIVERSAL CUTTER ES Series by Chris Goebel 11/2012 PATCH PLANER EX Series UNIVERSAL CUTTER ES Series by Chris Goebel 03/2013 EX Patch Planer for Excavators EX Patch Planer for Excavators EX Patch Planer for

1.27k views • 80 slides
CO CO 447 | LEC EC 4 ADVANCED TOPICS OF WEB SECURITY MODEL AND ITS PITFALLS BROWSER

CO CO 447 | LEC EC 4 ADVANCED TOPICS OF WEB SECURITY MODEL AND ITS PITFALLS BROWSER

CO CO 447 | LEC EC 4 ADVANCED TOPICS OF WEB SECURITY MODEL AND ITS PITFALLS BROWSER VULNERABILITIES Dr. Benjamin Livshits Drive-by malware 3 4 Go Google le patch ches Chrome zero-da day under under active e at attacks 6 Con

920 views • 62 slides
Versions all the way down Versioning commits and patches with git-series Josh Triplett

Versions all the way down Versioning commits and patches with git-series Josh Triplett

Versions all the way down Versioning commits and patches with git-series Josh Triplett josh@joshtriplett.org LinuxCon North America 2016 RFC: feature RFC: feature Development git commit git format-patch -3 git format-patch -3 [PATCH 1/3]

1.19k views • 105 slides
Agenda Some attacks against the IP Brief introduction to IPSec Building Block: Security

Agenda Some attacks against the IP Brief introduction to IPSec Building Block: Security

IP Security Cunsheng Ding HKUST, Kong Kong, China C. Ding - COMP4631 - L21 1 Agenda Some attacks against the IP Brief introduction to IPSec Building Block: Security Association Building Block: Security Association Database

694 views • 33 slides
researchsoc.iu.edu Thank you for attending. Our webinar will begin shortly. Building a Security

researchsoc.iu.edu Thank you for attending. Our webinar will begin shortly. Building a Security

researchsoc.iu.edu Thank you for attending. Our webinar will begin shortly. Building a Security Exercise Program Josh Drake Senior Security Analyst, Indiana University Center for Applied Cybersecurity Research Housekeeping All

461 views • 30 slides
Security 1 To read more This days papers: Smith and Weingart, Building a

Security 1 To read more This days papers: Smith and Weingart, Building a

Security 1 To read more This days papers: Smith and Weingart, Building a high-performance, programmable secure coprocessor, 1998, Sections 1-6, 10 Supplementary reading: Anderson, Security Engineering , Chapter 16.

1.08k views • 69 slides
Building Better Security Partners: What have we learned from the past and how it applies today.

Building Better Security Partners: What have we learned from the past and how it applies today.

Building Better Security Partners: What have we learned from the past and how it applies today. Civilian Research Project by Geoff Stewart AWC fellow at Duke University 2016 Building Partner Capacity What can we learn from past experience?

211 views • 18 slides
A Plan 9 Approach to Hierarchical Patch Dynamics John (EBo) David IWP9 2010 Seattle, WA Many

A Plan 9 Approach to Hierarchical Patch Dynamics John (EBo) David IWP9 2010 Seattle, WA Many

A Plan 9 Approach to Hierarchical Patch Dynamics John (EBo) David IWP9 2010 Seattle, WA Many Problems are Inherently Multiscale Wu & David (2001) Hierarchical Patch Dynamics (HPD) ( Wu and Loucks 1995) HPD explicitly integrates

188 views • 15 slides
Nassau County BOCES BUILDING AN INFORMATION SECURITY PROGRAM WITH CIS 20 AND NIST CSF MARCH 13,

Nassau County BOCES BUILDING AN INFORMATION SECURITY PROGRAM WITH CIS 20 AND NIST CSF MARCH 13,

Nassau County BOCES BUILDING AN INFORMATION SECURITY PROGRAM WITH CIS 20 AND NIST CSF MARCH 13, 2020 Adaptive Security AGENDA Introductions Presidio Cyber Security Practice Overview Why are we here? Common District Cyber

814 views • 56 slides
Wireless Security Wireless Network Attacks Access control attacks These attacks attempt to

Wireless Security Wireless Network Attacks Access control attacks These attacks attempt to

Wireless Security Wireless Network Attacks Access control attacks These attacks attempt to penetrate a network by using wireless or evading WLAN access control measures, like AP MAC filters and 802.1X port access controls. Type of Attack

184 views • 7 slides

More recommend